In a bold instance of putting its money where its mouth is, Google has announced it will pay up to $1 million to anyone who can exploit its Chrome Web browser.
At next week's CanSecWest security conference in Vancouver, British Columbia, contestants will win $60,000 for what Google calls a "full Chrome exploit," one that successfully hacks Chrome on Windows 7 exploiting only bugs found within Chrome.
For a partial exploit — one that includes at least one Chrome bug in addition to other bugs — researchers will win $40,000, Chris Evans and Justin Schuh from Google's Chrome Security Team explained on a blog.
A consolidation prize of $20,000 will be given to anyone who hacks Chrome without using any of the browser's vulnerabilities. Google will issue multiple rewards per category, but stop the contest at the $1 million limit. All winners will receive a Chromebook.
The consolations prizes "still help us toward our mission of making the entire Web safer," Evans and Schuh wrote.
Google has cause to flaunt Chrome's strengths; at last year's Pwn2Own hacking contest, hackers exploited Safari and Internet Explorer 8, while nobody even tried to attack Chrome.
This may be because Chrome employs malware-isolating "sandbox" technology, which prevents a bug, when detected, from spreading throughout the entire system. Potential attackers typically have to find two or more bugs to exploit a sandboxed program.
This year, Google withdrew from the annual Pwn2Own contest over concerns that contestants are allowed to enter Pwn2Own without having to reveal the full exploits to software vendors.
"Full exploits have been handed over in previous years, but it's an explicit non-requirement in this year's contest, and that's worrisome," Evans and Schuh wrote.